What happens to data in a deleted account

I have a family 1Password.com account, and a family member has asked me to delete her user account. What I'd like to know is whether this will also lock her out of the data on her PC and iPad. I hope that the answer is no, and that the result will be similar to what happens when a 30-day trial expires, but I want to be sure before I take an irrevocable step.

It strikes me as dangerous to allow a 1P/Fam admin to wipe the data in another user's personal vault. Suppose someone has changed all their email and banking passwords and doesn't remember them anymore? My deleting their account would really ruin their lifeday month.

Ben F

1Password Version: Not ProvidedExtension Version: Not ProvidedOS Version: Not ProvidedSync Type: Not Provided

Comments

Hi @benfdc - Great question and thanks for asking! When a family member is deleted from a 1Password Families account, all access to the account via the apps and web app is revoked. Any data stored within their Personal/Private vault that is connected to the Families account will be deleted. They can move their data to an Individual account or standalone vault before being removed. Since the Personal/Private vault is connected to the Families account, there is no way (currently) for the family member to retain the data within this vault after being deleted from the account. I appreciate the feedback and let us know if you have any additional questions.

Thanks for the clear answer, @Frank. You have my thoughts on whether this behavior is desirable, and I have nothing to add to them, other than to observe that what is reasonable for 1P/Teams may not be reasonable for 1P/Families.

I have a few follow-up questions. If I cancel someone's account, does the user automatically get a notification email? Will a cancelled user lose his or her data on a device which is offline at the time of cancellation, or a device where the app is not running while the device is online? If not, will I receive some sort of notification that some devices were not immediately scrubbed, and another when they have been? My thinking behind these questions: if I am supposed to be able to scrub 1Password.com data from a user's devices, shouldn't I have a way of knowing whether or not I succeeded?

Also, what if the cancelled user made backups of her Windows vault? Couldn't she restore the backup when her PC was offline?

If I cancel someone's account, does the user automatically get a notification email? Will a cancelled user lose his or her data on a device which is offline at the time of cancellation, or a device where the app is not running while the device is online?

@benfdc: No. In that case there won't be any way for the app to receive this change from the server.

If not, will I receive some sort of notification that some devices were not immediately scrubbed, and another when they have been?

No, but that's something we've considered. I'm not sure what the right balance would be there.

My thinking behind these questions: if I am supposed to be able to scrub 1Password.com data from a user's devices, shouldn't I have a way of knowing whether or not I succeeded?

I think that's a reasonable point, but it's a tough nut to crack. It's something we discuss a lot, but at the end of the day there's no way to ensure revocation if the device is offline. So there are definitely two sides to this coin. And you're right that what's appropriate for families may not be for teams and vice versa, regardless of the technical challenges. So we'll see what we can come up with.

Also, what if the cancelled user made backups of her Windows vault? Couldn't she restore the backup when her PC was offline?

Can you clarify? 1Password.com doesn't have an local backup process currently on any platform. It's something we've considered, but as you illustrated above that would have it's own problems.

Thanks for bringing this stuff up! I'd love to hear what others think as well.

Thanks for the followup, @brenty! Much appreciated. And I too would love to hear what others think.

I'm not sure that your observation that "there's no way to ensure revocation if the device is offline" fully answers my question about feedback. I guess it depends on whether your server knows the identities of devices that are associated with a user account, or at least how many devices are associated. If the server knows this, and if apps acknowledge receipt of directives to scrub a user account, then this feedback could be communicated back to admins. Those are a lot of "ifs" on my end, but surely you can enlighten me.

Let me make one more point. If these things aren't clearly documented yet, IMO they should be. And even if they are clearly documented somewhere, the info should be easier to find than it is now.

Also one more question. Does suspending a 1P/Fam user account result in the same scrubbing of on-device data that deleting the account does? I'd guess that the answer is yes, but I'd appreciate confirmation.

I'm not sure that your observation that "there's no way to ensure revocation if the device is offline" fully answers my question about feedback. I guess it depends on whether your server knows the identities of devices that are associated with a user account, or at least how many devices are associated.

If the server knows this, and if apps acknowledge receipt of directives to scrub a user account, then this feedback could be communicated back to admins. Those are a lot of "ifs" on my end, but surely you can enlighten me.

Yeah, plenty of "if"s to go around!

One issue is timing. If we do something like this, how long should the server wait for a response? And how much the server complains to the admin is something that would need to be balanced with that. Heck, my Mac is asleep something like 50% of the time, so chances are that if my account is deleted, a vault removed, etc., it's going to be a long time before it could give a response. So while the admin probably wants to know if the operation was successful, the urgency and frequency of notifications that it has failed are really a big question mark. I just don't have a sense for what would be appropriate and useful, and we're probably only going to get there with feedback based on real-world scenarios as we hear from customers — likely companies predominately.

Let me make one more point. If these things aren't clearly documented yet, IMO they should be. And even if they are clearly documented somewhere, the info should be easier to find than it is now.

We don't typically document features that don't exist, but I may be fundamentally misunderstanding. Can you tell me more about what you have in mind?

Also one more question. Does suspending a 1P/Fam user account result in the same scrubbing of on-device data that deleting the account does? I'd guess that the answer is yes, but I'd appreciate confirmation.

Yes. Suspend can be thought of as a "soft" delete which can be reversed. Deleting an account is irrevocable. Great questions!

What I'm thinking is clearly documenting that 1password.com data in the personal vault of a suspended or deleted user account is scrubbed from the user's devices as soon as the server makes contact with the app on those devices.

The documentation should also explain what happens to data in shared vaults when a user is suspended or deleted. Does it matter whether the deleted user was the creator of the shared vault? Does the vault survive even if every user who shared it is deleted? It strikes me that many of these issues could be dealt with in a reasonable manner if, and perhaps only if, the admin who is deleting or suspending a user account is notified about the status of shared vaults which could be affected by the action and offered appropriate management options (e.g., reassigning "creator" status to another user).

Apparently we need to work on our internal documentation as well, as @brenty actually got that one wrong.

Also one more question. Does suspending a 1P/Fam user account result in the same scrubbing of on-device data that deleting the account does? I'd guess that the answer is yes, but I'd appreciate confirmation.

The answer to this is "No". Suspending an account does not remove data locally, it only makes that data inaccessible. To the end user the result might be the same: the data is inaccessible. You should think of suspension as just stopping a user from doing anything with the data. Whereas deletion is really deletion. Suspension is much less dangerous to data as it will leave any unsynced changes alone such that when you remove the suspension the unsynced data can be uploaded fine.

We're in the process of re-thinking a lot of this stuff. Not so much the suspended state, but how deletions work. We agree that deletions in a company setting means something very different than in a family setting. In this case the fact that 1Password Families will forcefully delete the vault of someone locally isn't because we really thought that that was a good idea, but simply because 1Password Families is based upon the same technology as 1Password Teams. We're trying to figure out the best way of handling something like this.

If I could have my unicorn, in a family setting a user deletion wouldn't be a deletion at all. I would love for a user deletion to be more like "split off this user into their own account". When a child becomes an adult, wouldn't it be nice to not have to create a new 1Password Individual account and migrate data over to that, but instead just spin off that person's account into a new one?

You're absolutely right that we need good documentation around all of this.

Thanks for the clarification on the effect of suspension on data located on a device. Can you elaborate on what happens to data in shared vaults that are created by a suspended or deleted user?

If I understand correctly, “split off this user into their own account” means that the user's apps become read- and export-only unless and until the user decides to subscribe. That is exactly what I would like to see, as it implements the core principle that “your data belongs to you.” As things stand now, data in a 1P/Teams or 1P/Families user account is insecure in a very meaningful sense of the word.

In G-Suite, users have to check a box acknowledging that their accounts are managed by admins and are subject to suspension or deletion. Is there a comparable warning when 1P/Families and 1P/Teams user accounts are created? If not, there needs to be.

One way to skin this cat without introducing a fork between the 1P/Fam and 1P/Teams code bases would be for user accounts to be designated, at the time of creation, as either deletable or severable. If a user account is deletable then the user knows that access to data stored in a personal vault can be lost. If a user account is severable then the user knows that access to data stored in a personal vault cannot be lost. I'm having a hard time thinking of a use case for 1P/Fam where one would want to designate a user account as deletable, but that may just be a shortcoming of my imagination. :-) A variation: the ability to create user accounts that are deletable rather than merely severable could be made one of the features that distinguishes Family and Team accounts.

Can you elaborate on what happens to data in shared vaults that are created by a suspended or deleted user?

I assume you mean currently as opposed to in my dream world of how it'd work.

Suspension is simply a user attribute, and it applies to everything regarding that user account. The user loses their access to their Private vault, the global Shared vault, and any other vault that they have access to. This is done by the apps themselves, not by removing any data, but by disallowing the user from making use of it. The user can see which vaults they have, but trying to view anything inside of those vaults will not work.

Deletion on the other hand actually removes access to all of those shared vaults (whether the user created them or not) from the server. This means that the user loses the keys to those vaults.

When creating the vault (in 1Password Teams), there's a checkbox to allow admins to manage the vault. If the user checked that checkbox then even if they were the only user who were part of that vault then the admins can give someone else access. All vaults that a user creates has the Owner group given Manage access, so that group can always give someone else access.

So the data in those user-created vaults remains safe even after user deletion. In a 1Password Families scenario, the Family Organizers are both Admins and Owners, and the user doesn't get the option to not give Admin manage rights.

If I understand correctly, “split off this user into their own account” means...

To be clear, I was talking about the future here. What I described is not what is implemented. It's what I personally would like to see implemented. I'm not sure if it's technically possible given how we've built things and how authentication works.

I'm having a hard time thinking of a use case for 1P/Fam where one would want to designate a user account as deletable

Guest accounts are meant to be temporary and short lived. Sometimes people pass away and there's no value in severing the account. The world is a messy place.

What I described is not what is implemented. It's what I personally would like to see implemented. I'm not sure if it's technically possible given how we've built things and how authentication works.

I hear you, @rickfillion. I guess my bottom line is that the design choice made here strikes me as a poor one. As things stand now, it seems to me that a prudent 1P/Fam user MUST maintain good backups of the personal vault, and it is not easy to securely back up the contents of a 1Password vault. Back in the days of 1Password 3 there were options to export to Palm and to HTML, but those days are long gone.

I suppose that one way to approach this problem would be for a suspended or deleted user to lose access to shared vaults immediately but be notified and given a reasonable period of time to open another account (such as an individual account) and have the ability to transfer over whatever items he or she wishes via the usual copy/move mechanism. If the account were deleted then the "slot" in the 1P/Families account might still be freed up immediately if the account owner wished to send an invitation to someone else. It's not an ideal solution, but IMO it'd be a good deal better than the status quo.

Where there's a will, I'm inclined to believe that there must be a way.

Likewise! Definitely some options to consider. While it would be nice if we were able to anticipate everything and build things accordingly from the start, I'm really glad I've been able to use 1Password.com with my team and family in the mean time, even while there's plenty of room for improvement. Thanks for the great feedback on this, and pushing for us to do better.

Don't get me wrong; I'm very much enjoying 1P/Fam myself. It's just that, when a family member asked me to delete her account, I found it hard to believe that my doing so would shred her data. In my case it was the result that she wanted—no harm, no foul—but all the same it wasn't the behavior I would have expected. Indeed, it seemed to go against the 1Password philosophy as I have always understood it. I almost dismissed the possibility out of hand, but somehow caution got the better of me and I decided to post my question here in the forum before going further. (It would be nice if I could honestly say that this sort of caution on my part were the rule rather than the exception to the rule.)

I'm very curious to know whether there is a different underlying philosophy for 1P/Fam or whether the ability of an account admin to destroy another user's data without notice or recourse represents an unintended departure from a company consensus about the way that things ought to be. The only thing I'm really anticipating, @brenty, is that sometimes family members are capable of doing cruel, vindictive, or stupid stuff. Maybe that's not part of the threat model for which the product is designed. OK, fine. You are unquestionably entitled to define your threat model. But if that is the case then IMO you ought to be very clear about it, because it doesn't strike me as realistic or reasonable, in the specific context of 1P/Families, to ignore insider attacks. Abusive relationships are not uncommon in families, and neither are "practical jokes."

Just because a security product is designed to facilitate cooperation and sharing doesn't mean that there's no need to make it robust in the not-at-all unforeseeable event that cooperation breaks down. Not an issue in my personal case, of course. No way would my current spouse become the vindictive monster that my former spouse did. And I would never behave that way myself.

Under the present state of play, I suppose that a prudent holder of a 1P/Fam user account should either have a separate, individual 1Password.com subscription or else get a traditional 1Password app license for at least one device, and use the other account or app license to back up the user's personal 1P/Fam vault as well as whatever stuff of personal importance might be present in shared 1P/Fam vaults. It's not ideal, though, because it requires manual backups. I'd much prefer a world in which one could enjoy the benefits of a 1P/Fam user account without having to rely on some outside procedure for protection against data loss resulting from unexpected account suspension or deletion.

I found it hard to believe that my doing so would shred her data. In my case it was the result that she wanted—no harm, no foul—but all the same it wasn't the behavior I would have expected.

@benfdc: Yeah. The tough thing is that there's a good argument to be made on both sides. Certainly in some cases deleting data along with the account is the thing we want to happen, while in others it isn't.

The only thing I'm really anticipating, @brenty, is that sometimes family members are capable of doing cruel, vindictive, or stupid stuff.

That's an excellent point.

Under the present state of play, I suppose that a prudent holder of a 1P/Fam user account should either have a separate, individual 1Password.com subscription or else get a traditional 1Password app license for at least one device, and use the other account or app license to back up the user's personal 1P/Fam vault as well as whatever stuff of personal importance might be present in shared 1P/Fam vaults. It's not ideal, though, because it requires manual backups. I'd much prefer a world in which one could enjoy the benefits of a 1P/Fam user account without having to rely on some outside procedure for protection against data loss resulting from unexpected account suspension or deletion.

You're absolutely right. 1Password.com is an immense help when it comes to data loss prevention in most cases, but this is one where things are a bit muddy. On the one hand, I really don't want to end up on the receiving end of an account deletion, accidental or otherwise; the only protection against that is not giving anyone else access to my account (done) and not having any other Organizers (problematic). Yet at the same time if I choose to delete my account, I want it gone. I'm just not sure what the right balance is there. It's something we'll have to consider carefully, ideally with continued feedback from customers.

@benfdc : Thanks for elaborating on that. It's not that we don't consider your scenario a serious one. We do. As I stated above, 1Password Families grew out of 1Password Teams and in that scenario it makes sense. We absolutely want to do something better/more appropriate for 1Password Families, but there are just so many hours in a day. We'll get there.

I'm currently working on something that should hopefully help in the interim until we have a better solution. I'm not sure when what I'm working on will ship, and it's still in early stages so I can't go into details about it.

I really appreciate being heard. Thank you. I can't think of anything further to add right now, but if something crosses my mind I'll probably follow up in this thread, and if there's anything else you think I might be able to clarify for you or contribute I'm sure you can find a way to reach out to me.

FYI, my old school primary and secondary vaults are syncing via Dropbox, I currently run the beta app and extensions on my Mac, I run the regular iOS app on an iPhone 6, and I have the regular Android app installed on a seldom-used LG V940N tablet.

I've been using 1Password for over seven years, @rickfillion, and y'all have been engaging with me for most of those years. I've ALWAYS felt heard, and in an earlier iteration of the forum software I was officially dubbed "Perspective Giving Member." Sometimes we agreed about things and sometimes not, but I can count on the fingers of one hand the number of times that I felt my concerns had been unreasonably dismissed. The reason I engage is that you've always made it worth my time and energy to do so.

Several years ago I was briefly banned from the forums once or twice, but even those actions, IMO, were fair! Ironically, what got me banned was my being too persistent, from y'all's perspective, about advocating the use of LastPass as a complement to 1Password when users identified legitimate needs that 1Password, being a Mac and Windows app rather than a cloud-based browser extension, could not satisfy at that time. It's understandable that y'all could not openly endorse my suggestions and could see them as problematic. It says a lot about y'all that we were able to work things out.

Did my persistent advocacy play any role in 1Password's evolution to a cloud-based service? Who knows? Who cares? I'm happy that it's working, notwithstanding that it is, and may always be, a work in process.

@benfdc : Last august I said that I was working on something that'd help us in the interim. Some of that 'something' has come to fruition in the form of 1Password 7 for Mac. Version 7 of our Mac app contains an extra mechanism that automatically creates encrypted backups of vaults. Currently there's no feature in the app to make these backups visible or usable to the user but that should be coming soon. The idea here was that if one user maliciously deletes the account of another user, the user should have backups to help them through the ordeal.